⚠ Actively exploited

Added to CISA KEV on 2022-04-13. Federal agencies required to patch by 2022-05-04. Required action: The impacted product is end-of-life and should be disconnected if still in use..

CVE-2015-0313

CWE-416 — Use After Free19 documents12 sources

Severity

9.8CRITICAL

EPSS

92.8%

top 0.24%

CISA KEV

KEV

Added 2022-04-13

Due 2022-05-04

Exploit

Exploited in wild

Active exploitation observed

Affected products

Adobe Flash Player Microsoft Internet Explorer Opensuse Evergreen +3 more

Timeline

PublishedFeb 2

KEV addedApr 13

KEV dueMay 4

Latest updateMay 17

CISA Required Action: The impacted product is end-of-life and should be disconnected if still in use.

Description

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows and OS X and before 11.2.202.442 on Linux allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in February 2015, a different vulnerability than CVE-2015-0315, CVE-2015-0320, and CVE-2015-0322.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages7 packages

▶NVDadobe/flash_player14.0.0.125 — 16.0.0.305+2

▶Ubuntuflashplugin-nonfree< 11.2.202.442ubuntu0.14.04.1

▶NVDsuse/linux_enterprise_desktop11, 12+1

▶NVDsuse/linux_enterprise_workstation_extension12

▶NVDopensuse/opensuse13.1, 13.2+1

Patches

Patch: technet.microsoft.com ↗Patch: technet.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-fg66-4vpm-36cx: Use-after-free vulnerability in Adobe Flash Player before 13↗2022-05-17

▶

CVEList

CVE-2015-0313: Use-after-free vulnerability in Adobe Flash Player before 13↗2015-02-02

▶

OSV

CVE-2015-0313: Use-after-free vulnerability in Adobe Flash Player before 13↗2015-02-02

▶

VulnCheck

Adobe Flash Player Use-After-Free Vulnerability↗2015

▶

💥Exploits & PoCs

Exploit-DB

Adobe Flash Player - ByteArray With Workers Use-After-Free (Metasploit)↗2015-03-31

▶

Exploit-DB

Adobe Flash Player - Arbitrary Code Execution↗2015-03-25

▶

📋Vendor Advisories

CISA

Adobe Flash Player Use-After-Free Vulnerability↗2022-04-13

▶

Red Hat

flash-plugin: multiple code execution flaws (APSB15-04)↗2015-02-04

▶

Red Hat

flash-plugin: multiple code execution flaws (APSB15-04)↗2015-02-04

▶

Red Hat

flash-plugin: use-after-free leading to code execution (APSB15-04)↗2015-02-02

▶

🕵️Threat Intelligence

Krebs

Yet Another Flash Patch Fixes Zero-Day Flaw↗2015-02-12

▶

Qualys

February 0-day for Adobe Flash - Update 2 | Qualys↗2015-02-02

▶

Qualys

February 0-day for Adobe Flash - Update 2 | Qualys↗2015-02-02

▶

Krebs

Yet Another Flash Patch Fixes Zero-Day Flaw – Krebs on Security↗2015-02-01

▶

💬Community

Bugzilla

flash-plugin: multiple code execution flaws (APSB15-04)↗2015-02-06

▶

Bugzilla

CVE-2015-0313 flash-plugin: use-after-free leading to code execution (APSB15-04)↗2015-02-02

▶

Bugzilla

(CVE-2015-0313) Blocklist flash 16.0.0.296 and earlier versions↗2015-02-02

▶